Versions Compared

Version Old Version 3 New Version 4
Changes made by

Ashhad Alam

Ashhad Alam

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

You can set up Nginx Ingress Controller as a front-end for the communication between external users and the application. 

...

  1. Run the following command to add the Nginx Ingress Controller repository. 

    Code Block
    languagecss
    themeMidnight
    helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx


  2. Run the following command to create a namespace

    Code Block
    languagecss
    themeMidnight
    kubectl create namespace <ingress>

    Where,

    ingress is the name of the namespace.

  3. Run the command as shown in the example below to install the Nginx Ingress Controller helm 

    Code Block
    languagecss
    themeMidnight
    helm install <my-ingress-nginx> <ingress-nginx/ingress-nginx> -n <namespace>

    Where,
    my-ingress-nginx is the name of the Nginx Ingress release.
    ingress-nginx/ingress-nginx is the repository path.

Configuring SSL in Kubernetes Ingress

If you're using any Kubernetes ingress controller as a front-end for Webapp Gateway microservice, you need to configure SSL through Kubernetes ingress object. 

You can secure an Ingress by specifying a Secret that contains a TLS private key and certificate. The Ingress resource only supports a single TLS port, 443, and assumes TLS termination at the ingress point (traffic to the Service and its Pods is in plaintext). If the TLS configuration section in an Ingress specifies different hosts, they are multiplexed on the same port according to the hostname specified through the SNI TLS extension (provided the Ingress controller supports SNI).

Info
You can generate TLS/SSL certificates by using any tool.

The TLS secret must contain keys named tls.crt and tls.key that contain the certificate and private key to use for TLS. For example:

Image Added

Referencing this secret in an Ingress tells the Ingress controller to secure the channel from the client to the load balancer using TLS. You need to make sure the TLS secret you created came from a certificate that contains a Common Name (CN), also known as a Fully Qualified Domain Name (FQDN), for example, dummy.adeptia.com.

Image Added

Note: There is a gap between TLS features supported by various Ingress controllers. Please refer to documentation on nginx, GCE, or any other platform specific Ingress controller to understand how TLS works in your environment.

For more details, refer the Kubernetes official documentation.

After you've configured ingress, you've to follow the steps below in the same sequence.

Anchor
Exporting the public key
Exporting the public key
Exporting the public key of Webapp Gateway/Ingress controller 

The steps for exporting the public key of the Webapp Gateway/Ingress controller external URL (external FQDN, for example, dummy.adeptia.com) vary from browser to browser. It is recommended that you export the key using DER encoded binary format X.509 (.CER). Following are the steps to export the public key in Google Chrome browser.

  1. Enter the Adeptia Connect application URL (client-specific according to client domain) in the browser.
    The login page opens.
  2. Click Image Added > More tools > Developer tools.
  3. Click Security tab. 
  4. Click View Certificate.

    Image Added

  5. On the Certificate window, on the Details tab, click Copy to File.

    Image Added

  6. Click Next to start exporting the certificate.

    Image Added

  7. Choose DER encoded binary X.509 (.CER) and click Next.

    Image Added

  8. Specify the location to save the exported file and click Next.

    Image Added

  9. Click Finish to export.
  10. Click OK to exit from the wizard.

Anchor
Importing the certificate
Importing the certificate
Importing the Webapp Gateway/Ingress controller certificate 

This section helps you to import SSL certificate in the microservices Truststore.

Following the steps given below, you'd be able to import the SSL certificate in the Webapp Gateway microservice Truststore with an alias name adeptia.

  1. Run the following Kubectl command to copy the certificate to the PVC or shared storage volume for the Webapp Gateway pod.

    Code Block
    languagecss
    themeMidnight
    Kubectl --namespace <namepace_name> cp <local_path_for_SSL_certificate> <pod_name>:shared/truststore/<SSL_certificate_name>


  2. Navigate to the Microservice pod (Eg. Webrunner) by running the following command.

    Code Block
    languagecss
    themeMidnight
    Kubectl --namespace <namespace_name> exec -it <pod_name> -- sh


  3. Run the following Keytool command to import the certificate.

    Code Block
    languagecss
    themeMidnight
    keytool -import -trustcacerts -file <Path_of_SSL_Certificate> -alias <alias_name> -keystore <Path of cacerts file>

    Where,

              <Path_of_SSL_Certificate> is the path of SSL certificate.

              <Path of cacerts file> is the path of Truststore.

    For example,

    Code Block
    languagecss
    themeMidnight
    keytool -import -trustcacerts -file shared/truststore/ssl-certs.cer -alias adeptia -keystore shared/truststore/cacerts

    You'll be prompted to enter a password. Enter the default password changeit.

  4. Run the exit command to exit from the pod shell.
  5. Restart all the Microservices to bring the changes into effect.